Coverage for cas_server/views.py: 99%

1# -*- coding: utf-8 -*- 

2# This program is distributed in the hope that it will be useful, but WITHOUT 

3# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS 

4# FOR A PARTICULAR PURPOSE. See the GNU General Public License version 3 for 

5# more details. 

6# 

7# You should have received a copy of the GNU General Public License version 3 

8# along with this program; if not, write to the Free Software Foundation, Inc., 51 

9# Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 

10# 

11# (c) 2015-2016 Valentin Samir 

12"""views for the app""" 

13from .default_settings import settings, SessionStore 

14 

15from django.shortcuts import render, redirect 

16from django.http import HttpResponse, HttpResponseRedirect 

17from django.contrib import messages 

18from django.utils.decorators import method_decorator 

19from django.utils import timezone 

20from django.views.decorators.csrf import csrf_exempt 

21from django.middleware.csrf import CsrfViewMiddleware 

22from django.views.generic import View 

23try: 

24 from django.utils.encoding import python_2_unicode_compatible 

25 from django.utils.translation import ugettext as _ 

26except ImportError: 

27 def python_2_unicode_compatible(func): 

28 """ 

29 We use Django >= 3.0 with Python >= 3.4, we don't need Python 2 compatibility. 

30 """ 

31 return func 

32 from django.utils.translation import gettext as _ 

33from django.utils.safestring import mark_safe 

34try: 

35 from django.urls import reverse 

36except ImportError: 

37 from django.core.urlresolvers import reverse 

38 

39import re 

40import logging 

41import pprint 

42import requests 

43from lxml import etree 

44from datetime import timedelta 

45 

46import cas_server.utils as utils 

47import cas_server.models as models 

48 

49from .utils import json_response, import_attr 

50from .models import Ticket, ServiceTicket, ProxyTicket, ProxyGrantingTicket 

51from .models import ServicePattern, FederatedIendityProvider, FederatedUser 

52from .federate import CASFederateValidateUser 

53 

54logger = logging.getLogger(__name__) 

55 

56 

57class LogoutMixin(object): 

58 """destroy CAS session utils""" 

59 

60 def logout(self, all_session=False): 

61 """ 

62 effectively destroy a CAS session 

63 

64 :param boolean all_session: If ``True`` destroy all the user sessions, otherwise 

65 destroy the current user session. 

66 :return: The number of destroyed sessions 

67 :rtype: int 

68 """ 

69 # initialize the counter of the number of destroyed sesisons 

70 session_nb = 0 

71 # save the current user username before flushing the session 

72 username = self.request.session.get("username") 

73 if username: 

74 if all_session: 

75 logger.info("Logging out user %s from all sessions." % username) 

76 else: 

77 logger.info("Logging out user %s." % username) 

78 users = [] 

79 # try to get the user from the current session 

80 try: 

81 users.append( 

82 models.User.objects.get( 

83 username=username, 

84 session_key=self.request.session.session_key 

85 ) 

86 ) 

87 except models.User.DoesNotExist: 

88 # if user not found in database, flush the session anyway 

89 self.request.session.flush() 

90 

91 # If all_session is set, search all of the user sessions 

92 if all_session: 

93 users.extend( 

94 models.User.objects.filter( 

95 username=username 

96 ).exclude( 

97 session_key=self.request.session.session_key 

98 ) 

99 ) 

100 

101 # Iterate over all user sessions that have to be logged out 

102 for user in users: 

103 # get the user session 

104 session = SessionStore(session_key=user.session_key) 

105 # flush the session 

106 session.flush() 

107 # send SLO requests 

108 user.logout(self.request) 

109 # delete the user 

110 user.delete() 

111 # increment the destroyed session counter 

112 session_nb += 1 

113 if username: 

114 logger.info("User %s logged out" % username) 

115 return session_nb 

116 

117 

118class CsrfExemptView(View): 

119 """base class for csrf exempt class views""" 

120 

121 @method_decorator(csrf_exempt) # csrf is disabled for allowing SLO requests reception 

122 def dispatch(self, request, *args, **kwargs): 

123 """ 

124 dispatch different http request to the methods of the same name 

125 

126 :param django.http.HttpRequest request: The current request object 

127 """ 

128 return super(CsrfExemptView, self).dispatch(request, *args, **kwargs) 

129 

130 

131class LogoutView(View, LogoutMixin): 

132 """destroy CAS session (logout) view""" 

133 

134 #: current :class:`django.http.HttpRequest` object 

135 request = None 

136 #: service GET parameter 

137 service = None 

138 #: url GET paramet 

139 url = None 

140 #: ``True`` if the HTTP_X_AJAX http header is sent and ``settings.CAS_ENABLE_AJAX_AUTH`` 

141 #: is ``True``, ``False`` otherwise. 

142 ajax = None 

143 

144 def init_get(self, request): 

145 """ 

146 Initialize the :class:`LogoutView` attributes on GET request 

147 

148 :param django.http.HttpRequest request: The current request object 

149 """ 

150 self.request = request 

151 self.service = request.GET.get('service') 

152 self.url = request.GET.get('url') 

153 self.ajax = settings.CAS_ENABLE_AJAX_AUTH and 'HTTP_X_AJAX' in request.META 

154 

155 @staticmethod 

156 def delete_cookies(response): 

157 if settings.CAS_REMOVE_DJANGO_SESSION_COOKIE_ON_LOGOUT: 157 ↛ 158line 157 didn't jump to line 158 because the condition on line 157 was never true

158 response.delete_cookie(settings.SESSION_COOKIE_NAME) 

159 if settings.CAS_REMOVE_DJANGO_CSRF_COOKIE_ON_LOGOUT: 159 ↛ 160line 159 didn't jump to line 160 because the condition on line 159 was never true

160 response.delete_cookie(settings.CSRF_COOKIE_NAME) 

161 if settings.CAS_REMOVE_DJANGO_LANGUAGE_COOKIE_ON_LOGOUT: 161 ↛ 162line 161 didn't jump to line 162 because the condition on line 161 was never true

162 response.delete_cookie(settings.LANGUAGE_COOKIE_NAME) 

163 return response 

164 

165 def get(self, request, *args, **kwargs): 

166 """ 

167 method called on GET request on this view 

168 

169 :param django.http.HttpRequest request: The current request object 

170 """ 

171 logger.info("logout requested") 

172 # initialize the class attributes 

173 self.init_get(request) 

174 # if CAS federation mode is enable, bakup the provider before flushing the sessions 

175 if settings.CAS_FEDERATE: 

176 try: 

177 user = FederatedUser.get_from_federated_username( 

178 self.request.session.get("username") 

179 ) 

180 auth = CASFederateValidateUser(user.provider, service_url="") 

181 except FederatedUser.DoesNotExist: 

182 auth = None 

183 session_nb = self.logout(self.request.GET.get("all")) 

184 # if CAS federation mode is enable, redirect to user CAS logout page, appending the 

185 # current querystring 

186 if settings.CAS_FEDERATE: 

187 if auth is not None: 

188 params = utils.copy_params(request.GET, ignore={"forget_provider"}) 

189 url = auth.get_logout_url() 

190 response = HttpResponseRedirect(utils.update_url(url, params)) 

191 if request.GET.get("forget_provider"): 

192 response.delete_cookie("remember_provider") 

193 return self.delete_cookies(response) 

194 # if service is set, redirect to service after logout 

195 if self.service: 

196 list(messages.get_messages(request)) # clean messages before leaving the django app 

197 return self.delete_cookies(HttpResponseRedirect(self.service)) 

198 # if service is not set but url is set, redirect to url after logout 

199 elif self.url: 

200 list(messages.get_messages(request)) # clean messages before leaving the django app 

201 return self.delete_cookies(HttpResponseRedirect(self.url)) 

202 else: 

203 # build logout message depending of the number of sessions the user logs out 

204 if session_nb == 1: 

205 logout_msg = mark_safe(_( 

206 "<h3>Logout successful</h3>" 

207 "You have successfully logged out from the Central Authentication Service. " 

208 "For security reasons, close your web browser." 

209 )) 

210 elif session_nb > 1: 

211 logout_msg = mark_safe(_( 

212 "<h3>Logout successful</h3>" 

213 "You have successfully logged out from %d sessions of the Central " 

214 "Authentication Service. " 

215 "For security reasons, close your web browser." 

216 ) % session_nb) 

217 else: 

218 logout_msg = mark_safe(_( 

219 "<h3>Logout successful</h3>" 

220 "You were already logged out from the Central Authentication Service. " 

221 "For security reasons, close your web browser." 

222 )) 

223 

224 # depending of settings, redirect to the login page with a logout message or display 

225 # the logout page. The default is to display tge logout page. 

226 if settings.CAS_REDIRECT_TO_LOGIN_AFTER_LOGOUT: 

227 messages.add_message(request, messages.SUCCESS, logout_msg) 

228 if self.ajax: 

229 url = reverse("cas_server:login") 

230 data = { 

231 'status': 'success', 

232 'detail': 'logout', 

233 'url': url, 

234 'session_nb': session_nb 

235 } 

236 return self.delete_cookies(json_response(request, data)) 

237 else: 

238 return self.delete_cookies(redirect("cas_server:login")) 

239 else: 

240 if self.ajax: 

241 data = {'status': 'success', 'detail': 'logout', 'session_nb': session_nb} 

242 return self.delete_cookies(json_response(request, data)) 

243 else: 

244 return self.delete_cookies(render( 

245 request, 

246 settings.CAS_LOGOUT_TEMPLATE, 

247 utils.context({'logout_msg': logout_msg}) 

248 )) 

249 

250 

251class FederateAuth(CsrfExemptView): 

252 """ 

253 view to authenticated user against a backend CAS then CAS_FEDERATE is True 

254 

255 csrf is disabled for allowing SLO requests reception. 

256 """ 

257 

258 #: current URL used as service URL by the CAS client 

259 service_url = None 

260 

261 def get_cas_client(self, request, provider, renew=False): 

262 """ 

263 return a CAS client object matching provider 

264 

265 :param django.http.HttpRequest request: The current request object 

266 :param cas_server.models.FederatedIendityProvider provider: the user identity provider 

267 :return: The user CAS client object 

268 :rtype: :class:`federate.CASFederateValidateUser 

269 <cas_server.federate.CASFederateValidateUser>` 

270 """ 

271 # compute the current url, ignoring ticket dans provider GET parameters 

272 service_url = utils.get_current_url(request, {"ticket", "provider"}) 

273 self.service_url = service_url 

274 return CASFederateValidateUser(provider, service_url, renew=renew) 

275 

276 def post(self, request, provider=None, *args, **kwargs): 

277 """ 

278 method called on POST request 

279 

280 :param django.http.HttpRequest request: The current request object 

281 :param unicode provider: Optional parameter. The user provider suffix. 

282 """ 

283 # if settings.CAS_FEDERATE is not True redirect to the login page 

284 if not settings.CAS_FEDERATE: 

285 logger.warning("CAS_FEDERATE is False, set it to True to use federation") 

286 return redirect("cas_server:login") 

287 # POST with a provider suffix, this is probably an SLO request. csrf is disabled for 

288 # allowing SLO requests reception 

289 try: 

290 provider = FederatedIendityProvider.objects.get(suffix=provider) 

291 auth = self.get_cas_client(request, provider) 

292 try: 

293 auth.clean_sessions(request.POST['logoutRequest']) 

294 except (KeyError, AttributeError): 

295 pass 

296 return HttpResponse("ok") 

297 # else, a User is trying to log in using an identity provider 

298 except FederatedIendityProvider.DoesNotExist: 

299 # Manually checking for csrf to protect the code below 

300 reason = CsrfViewMiddleware(lambda request: HttpResponse()) \ 

301 .process_view(request, None, (), {}) 

302 if reason is not None: # pragma: no cover (csrf checks are disabled during tests) 

303 return reason # Failed the test, stop here. 

304 form = import_attr(settings.CAS_FEDERATE_SELECT_FORM)(request.POST) 

305 if form.is_valid(): 

306 params = utils.copy_params( 

307 request.POST, 

308 ignore={"provider", "csrfmiddlewaretoken", "ticket", "lt"} 

309 ) 

310 if params.get("renew") == "False": 

311 del params["renew"] 

312 url = utils.reverse_params( 

313 "cas_server:federateAuth", 

314 kwargs=dict(provider=form.cleaned_data["provider"].suffix), 

315 params=params 

316 ) 

317 return HttpResponseRedirect(url) 

318 else: 

319 return redirect("cas_server:login") 

320 

321 def get(self, request, provider=None): 

322 """ 

323 method called on GET request 

324 

325 :param django.http.HttpRequestself. request: The current request object 

326 :param unicode provider: Optional parameter. The user provider suffix. 

327 """ 

328 # if settings.CAS_FEDERATE is not True redirect to the login page 

329 if not settings.CAS_FEDERATE: 

330 logger.warning("CAS_FEDERATE is False, set it to True to use federation") 

331 return redirect("cas_server:login") 

332 renew = bool(request.GET.get('renew') and request.GET['renew'] != "False") 

333 # Is the user is already authenticated, no need to request authentication to the user 

334 # identity provider. 

335 if self.request.session.get("authenticated") and not renew: 

336 logger.warning("User already authenticated, dropping federated authentication request") 

337 return redirect("cas_server:login") 

338 try: 

339 # get the identity provider from its suffix 

340 provider = FederatedIendityProvider.objects.get(suffix=provider) 

341 # get a CAS client for the user identity provider 

342 auth = self.get_cas_client(request, provider, renew) 

343 # if no ticket submited, redirect to the identity provider CAS login page 

344 if 'ticket' not in request.GET: 

345 logger.info("Trying to authenticate %s again" % auth.provider.server_url) 

346 return HttpResponseRedirect(auth.get_login_url()) 

347 else: 

348 ticket = request.GET['ticket'] 

349 try: 

350 # if the ticket validation succeed 

351 if auth.verify_ticket(ticket): 

352 logger.info( 

353 "Got a valid ticket for %s from %s" % ( 

354 auth.username, 

355 auth.provider.server_url 

356 ) 

357 ) 

358 params = utils.copy_params(request.GET, ignore={"ticket", "remember"}) 

359 request.session["federate_username"] = auth.federated_username 

360 request.session["federate_ticket"] = ticket 

361 auth.register_slo( 

362 auth.federated_username, 

363 request.session.session_key, 

364 ticket 

365 ) 

366 # redirect to the the login page for the user to become authenticated 

367 # thanks to the `federate_username` and `federate_ticket` session parameters 

368 url = utils.reverse_params("cas_server:login", params) 

369 response = HttpResponseRedirect(url) 

370 # If the user has checked "remember my identity provider" store it in a 

371 # cookie 

372 if request.GET.get("remember"): 

373 max_age = settings.CAS_FEDERATE_REMEMBER_TIMEOUT 

374 utils.set_cookie( 

375 response, 

376 "remember_provider", 

377 provider.suffix, 

378 max_age 

379 ) 

380 return response 

381 # else redirect to the identity provider CAS login page 

382 else: 

383 logger.info( 

384 ( 

385 "Got an invalid ticket %s from %s for service %s. " 

386 "Retrying authentication" 

387 ) % ( 

388 ticket, 

389 auth.provider.server_url, 

390 self.service_url 

391 ) 

392 ) 

393 return HttpResponseRedirect(auth.get_login_url()) 

394 # both xml.etree.ElementTree and lxml.etree exceptions inherit from SyntaxError 

395 except SyntaxError as error: 

396 messages.add_message( 

397 request, 

398 messages.ERROR, 

399 _( 

400 u"Invalid response from your identity provider CAS upon " 

401 u"ticket %(ticket)s validation: %(error)r" 

402 ) % {'ticket': ticket, 'error': error} 

403 ) 

404 response = redirect("cas_server:login") 

405 response.delete_cookie("remember_provider") 

406 return response 

407 except FederatedIendityProvider.DoesNotExist: 

408 logger.warning("Identity provider suffix %s not found" % provider) 

409 # if the identity provider is not found, redirect to the login page 

410 return redirect("cas_server:login") 

411 

412 

413class LoginView(View, LogoutMixin): 

414 """credential requestor / acceptor""" 

415 

416 # pylint: disable=too-many-instance-attributes 

417 # Nine is reasonable in this case. 

418 

419 #: The current :class:`models.User<cas_server.models.User>` object 

420 user = None 

421 #: The form to display to the user 

422 form = None 

423 

424 #: current :class:`django.http.HttpRequest` object 

425 request = None 

426 #: service GET/POST parameter 

427 service = None 

428 #: ``True`` if renew GET/POST parameter is present and not "False" 

429 renew = None 

430 #: the warn GET/POST parameter 

431 warn = None 

432 #: the gateway GET/POST parameter 

433 gateway = None 

434 #: the method GET/POST parameter 

435 method = None 

436 

437 #: ``True`` if the HTTP_X_AJAX http header is sent and ``settings.CAS_ENABLE_AJAX_AUTH`` 

438 #: is ``True``, ``False`` otherwise. 

439 ajax = None 

440 

441 #: ``True`` if the user has just authenticated 

442 renewed = False 

443 #: ``True`` if renew GET/POST parameter is present and not "False" 

444 warned = False 

445 

446 #: The :class:`FederateAuth` transmited username (only used if ``settings.CAS_FEDERATE`` 

447 #: is ``True``) 

448 username = None 

449 #: The :class:`FederateAuth` transmited ticket (only used if ``settings.CAS_FEDERATE`` is 

450 #: ``True``) 

451 ticket = None 

452 

453 INVALID_LOGIN_TICKET = 1 

454 USER_LOGIN_OK = 2 

455 USER_LOGIN_FAILURE = 3 

456 USER_ALREADY_LOGGED = 4 

457 USER_AUTHENTICATED = 5 

458 USER_NOT_AUTHENTICATED = 6 

459 

460 def init_post(self, request): 

461 """ 

462 Initialize POST received parameters 

463 

464 :param django.http.HttpRequest request: The current request object 

465 """ 

466 self.request = request 

467 self.service = request.POST.get('service') 

468 self.renew = bool(request.POST.get('renew') and request.POST['renew'] != "False") 

469 self.gateway = request.POST.get('gateway') 

470 self.method = request.POST.get('method') 

471 self.ajax = settings.CAS_ENABLE_AJAX_AUTH and 'HTTP_X_AJAX' in request.META 

472 if request.POST.get('warned') and request.POST['warned'] != "False": 

473 self.warned = True 

474 self.warn = request.POST.get('warn') 

475 if settings.CAS_FEDERATE: 

476 self.username = request.POST.get('username') 

477 # in federated mode, the valdated indentity provider CAS ticket is used as password 

478 self.ticket = request.POST.get('password') 

479 

480 def gen_lt(self): 

481 """Generate a new LoginTicket and add it to the list of valid LT for the user""" 

482 self.request.session['lt'] = self.request.session.get('lt', []) + [utils.gen_lt()] 

483 if len(self.request.session['lt']) > 100: 

484 self.request.session['lt'] = self.request.session['lt'][-100:] 

485 

486 def check_lt(self): 

487 """ 

488 Check is the POSTed LoginTicket is valid, if yes invalide it 

489 

490 :return: ``True`` if the LoginTicket is valid, ``False`` otherwise 

491 :rtype: bool 

492 """ 

493 # save LT for later check 

494 lt_valid = self.request.session.get('lt', []) 

495 lt_send = self.request.POST.get('lt') 

496 # generate a new LT (by posting the LT has been consumed) 

497 self.gen_lt() 

498 # check if send LT is valid 

499 if lt_send not in lt_valid: 

500 return False 

501 else: 

502 self.request.session['lt'].remove(lt_send) 

503 # we need to redo the affectation for django to detect that the list has changed 

504 # and for its new value to be store in the session 

505 self.request.session['lt'] = self.request.session['lt'] 

506 return True 

507 

508 def post(self, request, *args, **kwargs): 

509 """ 

510 method called on POST request on this view 

511 

512 :param django.http.HttpRequest request: The current request object 

513 """ 

514 # initialize class parameters 

515 self.init_post(request) 

516 # process the POST request 

517 ret = self.process_post() 

518 if ret == self.INVALID_LOGIN_TICKET: 

519 messages.add_message( 

520 self.request, 

521 messages.ERROR, 

522 _(u"Invalid login ticket, please try to log in again") 

523 ) 

524 elif ret == self.USER_LOGIN_OK: 

525 # On successful login, update the :class:`models.User<cas_server.models.User>` ``date`` 

526 # attribute by saving it. (``auto_now=True``) 

527 self.user = models.User.objects.get_or_create( 

528 username=self.request.session['username'], 

529 session_key=self.request.session.session_key 

530 )[0] 

531 self.user.last_login = timezone.now() 

532 self.user.save() 

533 elif ret == self.USER_LOGIN_FAILURE: # bad user login 

534 if settings.CAS_FEDERATE: 

535 self.ticket = None 

536 self.username = None 

537 self.init_form() 

538 # preserve valid LoginTickets from session flush 

539 lt = self.request.session.get('lt', []) 

540 # On login failure, flush the session 

541 self.logout() 

542 # restore valid LoginTickets 

543 self.request.session['lt'] = lt 

544 elif ret == self.USER_ALREADY_LOGGED: 

545 pass 

546 else: # pragma: no cover (should no happen) 

547 raise EnvironmentError("invalid output for LoginView.process_post") 

548 # call the GET/POST common part 

549 response = self.common() 

550 if self.warn: 

551 utils.set_cookie( 

552 response, 

553 "warn", 

554 "on", 

555 10 * 365 * 24 * 3600 

556 ) 

557 else: 

558 response.delete_cookie("warn") 

559 return response 

560 

561 def process_post(self): 

562 """ 

563 Analyse the POST request: 

564 

565 * check that the LoginTicket is valid 

566 * check that the user sumited credentials are valid 

567 

568 :return: 

569 * :attr:`INVALID_LOGIN_TICKET` if the POSTed LoginTicket is not valid 

570 * :attr:`USER_ALREADY_LOGGED` if the user is already logged and do no request 

571 reauthentication. 

572 * :attr:`USER_LOGIN_FAILURE` if the user is not logged or request for 

573 reauthentication and his credentials are not valid 

574 * :attr:`USER_LOGIN_OK` if the user is not logged or request for 

575 reauthentication and his credentials are valid 

576 :rtype: int 

577 """ 

578 if not self.check_lt(): 

579 self.init_form(self.request.POST) 

580 logger.warning("Received an invalid login ticket") 

581 return self.INVALID_LOGIN_TICKET 

582 elif not self.request.session.get("authenticated") or self.renew: 

583 # authentication request receive, initialize the form to use 

584 self.init_form(self.request.POST) 

585 if self.form.is_valid(): 

586 self.request.session.set_expiry(0) 

587 self.request.session["username"] = self.form.cleaned_data['username'] 

588 self.request.session["warn"] = True if self.form.cleaned_data.get("warn") else False 

589 self.request.session["authenticated"] = True 

590 self.renewed = True 

591 self.warned = True 

592 logger.info("User %s successfully authenticated" % self.request.session["username"]) 

593 return self.USER_LOGIN_OK 

594 else: 

595 logger.warning("A login attempt failed") 

596 return self.USER_LOGIN_FAILURE 

597 else: 

598 logger.warning("Received a login attempt for an already-active user") 

599 return self.USER_ALREADY_LOGGED 

600 

601 def init_get(self, request): 

602 """ 

603 Initialize GET received parameters 

604 

605 :param django.http.HttpRequest request: The current request object 

606 """ 

607 self.request = request 

608 self.service = request.GET.get('service') 

609 self.renew = bool(request.GET.get('renew') and request.GET['renew'] != "False") 

610 self.gateway = request.GET.get('gateway') 

611 self.method = request.GET.get('method') 

612 self.ajax = settings.CAS_ENABLE_AJAX_AUTH and 'HTTP_X_AJAX' in request.META 

613 self.warn = request.GET.get('warn') 

614 if settings.CAS_FEDERATE: 

615 # here username and ticket are fetch from the session after a redirection from 

616 # FederateAuth.get 

617 self.username = request.session.get("federate_username") 

618 self.ticket = request.session.get("federate_ticket") 

619 if self.username: 

620 del request.session["federate_username"] 

621 if self.ticket: 

622 del request.session["federate_ticket"] 

623 

624 def get(self, request, *args, **kwargs): 

625 """ 

626 method called on GET request on this view 

627 

628 :param django.http.HttpRequest request: The current request object 

629 """ 

630 # initialize class parameters 

631 self.init_get(request) 

632 # process the GET request 

633 self.process_get() 

634 # call the GET/POST common part 

635 return self.common() 

636 

637 def process_get(self): 

638 """ 

639 Analyse the GET request 

640 

641 :return: 

642 * :attr:`USER_NOT_AUTHENTICATED` if the user is not authenticated or is requesting 

643 for authentication renewal 

644 * :attr:`USER_AUTHENTICATED` if the user is authenticated and is not requesting 

645 for authentication renewal 

646 :rtype: int 

647 """ 

648 # generate a new LT 

649 self.gen_lt() 

650 if not self.request.session.get("authenticated") or self.renew: 

651 # authentication will be needed, initialize the form to use 

652 self.init_form() 

653 return self.USER_NOT_AUTHENTICATED 

654 return self.USER_AUTHENTICATED 

655 

656 def init_form(self, values=None): 

657 """ 

658 Initialization of the good form depending of POST and GET parameters 

659 

660 :param django.http.QueryDict values: A POST or GET QueryDict 

661 """ 

662 if values: 

663 values = values.copy() 

664 values['lt'] = self.request.session['lt'][-1] 

665 form_initial = { 

666 'service': self.service, 

667 'method': self.method, 

668 'warn': ( 

669 self.warn or self.request.session.get("warn") or self.request.COOKIES.get('warn') 

670 ), 

671 'lt': self.request.session['lt'][-1], 

672 'renew': self.renew 

673 } 

674 if settings.CAS_FEDERATE: 

675 if self.username and self.ticket: 

676 form_initial['username'] = self.username 

677 form_initial['password'] = self.ticket 

678 form_initial['ticket'] = self.ticket 

679 self.form = import_attr(settings.CAS_FEDERATE_USER_CREDENTIAL_FORM)( 

680 values, 

681 initial=form_initial 

682 ) 

683 else: 

684 self.form = import_attr( 

685 settings.CAS_FEDERATE_SELECT_FORM 

686 )(values, initial=form_initial) 

687 else: 

688 self.form = import_attr(settings.CAS_USER_CREDENTIAL_FORM)( 

689 values, 

690 initial=form_initial 

691 ) 

692 

693 def service_login(self): 

694 """ 

695 Perform login against a service 

696 

697 :return: 

698 * The rendering of the ``settings.CAS_WARN_TEMPLATE`` if the user asked to be 

699 warned before ticket emission and has not yep been warned. 

700 * The redirection to the service URL with a ticket GET parameter 

701 * The redirection to the service URL without a ticket if ticket generation failed 

702 and the :attr:`gateway` attribute is set 

703 * The rendering of the ``settings.CAS_LOGGED_TEMPLATE`` template with some error 

704 messages if the ticket generation failed (e.g: user not allowed). 

705 :rtype: django.http.HttpResponse 

706 """ 

707 try: 

708 # is the service allowed 

709 service_pattern = ServicePattern.validate(self.service) 

710 # is the current user allowed on this service 

711 service_pattern.check_user(self.user) 

712 # if the user has asked to be warned before any login to a service 

713 if self.request.session.get("warn", True) and not self.warned: 

714 messages.add_message( 

715 self.request, 

716 messages.WARNING, 

717 _(u"Authentication has been required by service %(name)s (%(url)s)") % 

718 {'name': service_pattern.name, 'url': self.service} 

719 ) 

720 if self.ajax: 

721 data = {"status": "error", "detail": "confirmation needed"} 

722 return json_response(self.request, data) 

723 else: 

724 warn_form = import_attr(settings.CAS_WARN_FORM)(initial={ 

725 'service': self.service, 

726 'renew': self.renew, 

727 'gateway': self.gateway, 

728 'method': self.method, 

729 'warned': True, 

730 'lt': self.request.session['lt'][-1] 

731 }) 

732 return render( 

733 self.request, 

734 settings.CAS_WARN_TEMPLATE, 

735 utils.context({'form': warn_form}) 

736 ) 

737 else: 

738 # redirect, using method ? 

739 list(messages.get_messages(self.request)) # clean messages before leaving django 

740 redirect_url = self.user.get_service_url( 

741 self.service, 

742 service_pattern, 

743 renew=self.renewed 

744 ) 

745 if not self.ajax: 

746 return HttpResponseRedirect(redirect_url) 

747 else: 

748 data = {"status": "success", "detail": "auth", "url": redirect_url} 

749 return json_response(self.request, data) 

750 except ServicePattern.DoesNotExist: 

751 error = 1 

752 messages.add_message( 

753 self.request, 

754 messages.ERROR, 

755 _(u'Service %(url)s not allowed.') % {'url': self.service} 

756 ) 

757 except models.BadUsername: 

758 error = 2 

759 messages.add_message( 

760 self.request, 

761 messages.ERROR, 

762 _(u"Username not allowed") 

763 ) 

764 except models.BadFilter: 

765 error = 3 

766 messages.add_message( 

767 self.request, 

768 messages.ERROR, 

769 _(u"User characteristics not allowed") 

770 ) 

771 except models.UserFieldNotDefined: 

772 error = 4 

773 messages.add_message( 

774 self.request, 

775 messages.ERROR, 

776 _(u"The attribute %(field)s is needed to use" 

777 u" that service") % {'field': service_pattern.user_field} 

778 ) 

779 

780 # if gateway is set and auth failed redirect to the service without authentication 

781 if self.gateway and not self.ajax: 

782 list(messages.get_messages(self.request)) # clean messages before leaving django 

783 return HttpResponseRedirect(self.service) 

784 

785 if not self.ajax: 

786 return render( 

787 self.request, 

788 settings.CAS_LOGGED_TEMPLATE, 

789 utils.context({'session': self.request.session}) 

790 ) 

791 else: 

792 data = {"status": "error", "detail": "auth", "code": error} 

793 return json_response(self.request, data) 

794 

795 def authenticated(self): 

796 """ 

797 Processing authenticated users 

798 

799 :return: 

800 * The returned value of :meth:`service_login` if :attr:`service` is defined 

801 * The rendering of ``settings.CAS_LOGGED_TEMPLATE`` otherwise 

802 :rtype: django.http.HttpResponse 

803 """ 

804 # Try to get the current :class:`models.User<cas_server.models.User>` object for the current 

805 # session 

806 try: 

807 self.user = models.User.objects.get( 

808 username=self.request.session.get("username"), 

809 session_key=self.request.session.session_key 

810 ) 

811 # if not found, flush the session and redirect to the login page 

812 except models.User.DoesNotExist: 

813 logger.warning( 

814 "User %s seems authenticated but is not found in the database." % ( 

815 self.request.session.get("username"), 

816 ) 

817 ) 

818 self.logout() 

819 if self.ajax: 

820 data = { 

821 "status": "error", 

822 "detail": "login required", 

823 "url": utils.reverse_params("cas_server:login", params=self.request.GET) 

824 } 

825 return json_response(self.request, data) 

826 else: 

827 return utils.redirect_params("cas_server:login", params=self.request.GET) 

828 

829 # if login against a service 

830 if self.service: 

831 return self.service_login() 

832 # else display the logged template 

833 else: 

834 if self.ajax: 

835 data = {"status": "success", "detail": "logged"} 

836 return json_response(self.request, data) 

837 else: 

838 return render( 

839 self.request, 

840 settings.CAS_LOGGED_TEMPLATE, 

841 utils.context({'session': self.request.session}) 

842 ) 

843 

844 def not_authenticated(self): 

845 """ 

846 Processing non authenticated users 

847 

848 :return: 

849 * The rendering of ``settings.CAS_LOGIN_TEMPLATE`` with various messages 

850 depending of GET/POST parameters 

851 * The redirection to :class:`FederateAuth` if ``settings.CAS_FEDERATE`` is ``True`` 

852 and the "remember my identity provider" cookie is found 

853 :rtype: django.http.HttpResponse 

854 """ 

855 if self.service: 

856 try: 

857 service_pattern = ServicePattern.validate(self.service) 

858 if self.gateway and not self.ajax: